Merge pull request #36653 from nextcloud/bugfix/noid/more-defensive-o…

…ld-token-handling fix(authentication): Handle null or empty string password hash
nextcloud · Feb 20, 2023 · c550aca · c550aca
2 parents bba3a1c + 6417ea0
commit c550aca
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/lib/private/Authentication/Token/PublicKeyTokenProvider.php b/lib/private/Authentication/Token/PublicKeyTokenProvider.php
@@ -113,7 +113,7 @@ public function generateToken(string $token,
 		// We need to check against one old token to see if there is a password
 		// hash that we can reuse for detecting outdated passwords
 		$randomOldToken = $this->mapper->getFirstTokenForUser($uid);
-		$oldTokenMatches = $randomOldToken && $this->hasher->verify(sha1($password) . $password, $randomOldToken->getPasswordHash());
+		$oldTokenMatches = $randomOldToken && $randomOldToken->getPasswordHash() && $this->hasher->verify(sha1($password) . $password, $randomOldToken->getPasswordHash());
 
 		$dbToken = $this->newToken($token, $uid, $loginName, $password, $name, $type, $remember);